Upgrade curl to 8.21.0#18023
Draft
VijayenderReddyPutta wants to merge 1 commit into
Draft
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
This PR upgrades curl from 8.11.1 to 8.21.0.
The current package carries downstream backport patches for the CVEs listed below. These patches are removed in this PR because the fixes are already included in upstream curl releases through 8.21.0.
Removed downstream CVE patches now covered upstream
These CVEs were validated against curl’s official affected/fixed version matrix and security advisories. Because this package is being upgraded to 8.21.0, the downstream backport patches are no longer required.
For reference:
Compatibility / Breaking-Change Notes (Azure Linux)
Upgrades curl from 8.11.1 to 8.21.0.
Removes downstream Azure Linux backport patches because the included CVE fixes are now present upstream in curl 8.21.0.
Auth API change:
CURLAUTH_DIGEST_IE is no longer supported in 8.21.0.
Use CURLAUTH_DIGEST instead.
Protocol/feature changes in upgrade path:
RTMP removed.
SMB support is opt-in.
NTLM disabled by default in newer upstream builds.
Verify required protocols/features with curl --version.
TLS/dependency expectations:
Upstream tightened several dependency/version constraints across the included versions.
Validate runtime/build compatibility on pinned environments.
HTTP/2 behavior:
HTTP/2 stream dependency controls are deprecated/no-op in 8.21.0.
Validate latency/perf-sensitive HTTP/2 workloads.
Compatibility note: upstream curl 8.21.0 deprecates CURLOPT_STREAM_DEPENDS and CURLOPT_STREAM_DEPENDS_E; these options are retained for backward compatibility but no longer have any effect.
No Azure Linux packaging-level breaking changes were identified in this PR beyond the upstream curl behavior changes included in the version upgrade.
Consumers that depend on exact upstream curl 8.11.1 behavior should validate workloads against 8.21.0, especially if they use advanced HTTP/2 stream-priority/dependency APIs, connection reuse behavior, proxy authentication flows, STARTTLS, mTLS, or redirect credential handling.
Verdict: Safe to merge. No breaking changes upstream (8.11.1 → 8.21.0) affect this package's build configuration or default protocol/auth surface.
Reviewed breaking changes and their impact on this build (--with-ssl --with-gssapi --with-libssh2 --with-nghttp2 --enable-threaded-resolver):
<style> </style>Recommendation: No action required for this build. Only downstream consumers that explicitly use NTLM authentication should verify their integration continues to work as expected post-upgrade.
Change Log
SPECS/curl/curl.spec — bump to 8.21.0, drop 21 obsolete CVE patches, %changelog
SPECS/curl/curl.signatures.json — new source hash (d9b32799...7f99135e33bb)
SPECS/curl/CVE-2025-0167.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-1965.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2026-6253.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-0665.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-3783.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2025-0725.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-3784.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2026-6429.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-10148.patch — removed (fixed upstream in 8.16.0)
SPECS/curl/CVE-2026-4873.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-7168.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-14017.patch — removed (fixed upstream in 8.18.0)
SPECS/curl/CVE-2026-5545.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-6276.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-12064.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8926.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8927.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8932.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8458.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-10536.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8286.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-9079.patch — removed (fixed upstream in 8.21.0)
cgmanifest.json — curl 8.11.1 -> 8.21.0
Does this affect the toolchain?
NO
Associated issues
#xxxx
Links to CVEs
https://nvd.nist.gov/vuln/detail/CVE-2025-0665 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-0167 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-0725 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-10148 — already fixed in 8.16.0
https://nvd.nist.gov/vuln/detail/CVE-2025-14017 — already fixed in 8.18.0
https://nvd.nist.gov/vuln/detail/CVE-2026-1965 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-3783 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-3784 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-4873 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6276 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-7168 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-5545 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6253 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6429 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-12064 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8926 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8927 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8932 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8458 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-10536 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8286 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-9079 — already fixed in 8.21.0
Test Methodology

Local Build.
Buddy Build URL -